Advice Request Windows Defender disabled by malware

[Templarware]

I found this thread on Reddit, where a user is claiming that Windows Defender can be easily disabled by malware and even trusted applications.

Defender Control v2.1

In Windows there is no option to completely turn off Microsoft Defender , Defender control is a Portable freeware to disable Ms Defender.

www.sordum.org

Thoughts?

 

[Ink]

I don't trust any claims from "users of the Internet". Who are they, are they recognised, and why believe things they are saying?

If I am not mistaken, Malware can disable most Antivirus software.

I do not know the inner workings - Windows 10 is programmed to disable Microsoft Defender Antivirus when it detects an installation of a third-party Antivirus software - for compatibility reasons, obviously.

Defender Control - What's the point of that software?

"If Windows defender “Tamper Protection” is turned on , Defender Control requires the TrustedInstaller service to bypass protection and turn off the defender. Therefore If there is a problem with the TrustedInstaller service, Defender Control Application may not work prorely."

 

[Nagisa]

Those type of tools(such as Defender Control) that can be used to alter the settings of Defender are detected as malware before they manually sent to Microsoft for them to get in whitelist, as far as i know.

just use a script to silently run Defender Control, unzip a password protected .zip file, and then execute their payload (maybe delete everything after as well); job done, Defender disabled and computer infected.

I wonder if it would work.

 

[Andy Ful]

It will if you are going to do it manually. Such an attack can have most chances when done with a little social engineering when the user manually bypasses UAC prompt. Any malware that can get high privileges can smash your system even without disabling the AV.
It is harder to do it without user interaction. The attacker has to use in the script the UAC bypass and unpacking command-line. Furthermore, the attack would usually require two executables (Defender Control + unpacker) and a payload. The files have to be delivered, usually from not trusted URL. There are some modifications available. All of this significantly increases the suspiciousness of an attack, so one cannot be sure if it would succeed in the wild in the real-world scenario.
Similar possibilities were available for years and only rarely used in the wild. This method can be used in the targeted attacks, but not to disable Defender permanently. Disabling Defender temporarily (also due to Defender Tamper Protection) can be used to run exploit kits for lateral movement and hide traces.

 

[Freud2004]

I found this thread on Reddit, where a user is claiming that Windows Defender can be easily disabled by malware and even trusted applications.

Defender Control v2.1

In Windows there is no option to completely turn off Microsoft Defender , Defender control is a Portable freeware to disable Ms Defender.

www.sordum.org

Thoughts?

Yes it happened to me, with defender and Kaspersky with booth. And the malware was in a KMS to activate the office with need to be run with administrator privileges, the error was mine, but it uninstalls booth Avs.

 

[wat0114]

With decent Windows hardening measures in place, it seems a a script maliciously launching this isn't so easy to pull off. This is even after allowing UAC elevation. BTW, I just manually attempted to launch Defender Control. OSArmor would have blocked the script attempting the same.

 

[Freud2004]

With decent Windows hardening measures in place, it seems a a script maliciously launching this isn't so easy to pull off. This is even after allowing UAC elevation. BTW, I just manually attempted to launch Defender Control. OSArmor would have blocked the script attempting the same.

View attachment 256743

This scripts never go to the exe files, Kaspersky and defender booth go down because some specific registry entries were deleted.

 

[Templarware]

This scripts never go to the exe files, Kaspersky and defender booth go down because some specific registry entries were deleted.

So we should use OS Armor with Defender, or do you recommend other AV?

 

[blackice]

So we should use OS Armor with Defender, or do you recommend other AV?

OS Armor is a great companion to defender and easy to use. But you can also use hardening tools to achieve similar protection for free.

 

[struppigel]

Disabling Defender can only be done after your system has been compromised, that means after detection by Defender could be evaded.
It does not work to evade detection before the infection takes place. Thus, it is not such a weakness as some internet users like to portrait it.
The only reason Defender is disabled after infection is to ensure persistence in the long run. Antivirus programs would pick up the malware after some time. But it does not work as an entry to infect the system in the first place.

Defender Control is very helpful to disable Defender on my malware analysis machines. But even if I turn Defender off, some parts of Defender still activate from time to time which is pretty annoying.

 

[Local Host]

Disabling Defender can only be done after your system has been compromised, that means after detection by Defender could be evaded.
It does not work to evade detection before the infection takes place. Thus, it is not such a weakness as some internet users like to portrait it.
The only reason Defender is disabled after infection is to ensure persistence in the long run. Antivirus programs would pick up the malware after some time. But it does not work as an entry to infect the system in the first place.

Defender Control is very helpful to disable Defender on my malware analysis machines. But even if I turn Defender off, some parts of Defender still activate from time to time which is pretty annoying.

Seems you misunderstand how this has been abused in the past, which forced Microsoft hand with Anti-Tamper (which is still useless to an extent), Windows Defender can indeed be easily disabled.

Is pretty obvious the payload is only downloaded after disabling WD, the script that disables WD itself is not supposed to be detected, nor it is the real malware.

 

[wat0114]

Is pretty obvious the payload is only downloaded after disabling WD, the script that disables WD itself is not supposed to be detected, nor it is the real malware.

But in this hypotetical case, isn't Defender Control the malware that disables Windows Defender? And while the script isn't the actual malware, it's still a vital link in the chain of events in the exploit process. Stop the unauthorized script, and you stop the malware.

 

[Andy Ful]

Seems you misunderstand how this has been abused in the past, which forced Microsoft hand with Anti-Tamper (which is still useless to an extent), Windows Defender can indeed be easily disabled.

Is pretty obvious the payload is only downloaded after disabling WD, the script that disables WD itself is not supposed to be detected, nor it is the real malware.

I do not think that @struppigel missed anything and on the contrary, he understands well how such attacks were performed in the wild. This attack in the wild would not be a simple deactivation of the AV. Many AVs can recognize several other suspicious features (delivery method, using scripting, UAC bypass, code and executable for unpacking, code for payload execution, code for Defender Control execution, etc.) before the script might the chance to disable protection. From time to time it is probably possible to bypass the AV protection in this way (many AVs were disabled in the past). But this has more cons compared to pros. In the case of Defender, the Tamper protection makes it even less attractive.

Microsoft did not introduce Tamper Protection to prevent such attacks as a primary infection vector. The reason was preventing similar methods performed in the wild on already compromised systems for persistence and lateral movement. Simply, the disabled Defender protection is re-enabled by the system after some time.

Edit.
A similar misunderstanding is often related to DLL hijacking. This method is not used as a primary infection vector, too. It could be used, but this has currently more cons compared to pros. It is used in the wild on already compromised systems to make the attack more dangerous (UAC bypass, stealthy persistence, etc.).

 

[Freud2004]

Disabling Defender can only be done after your system has been compromised, that means after detection by Defender could be evaded.
It does not work to evade detection before the infection takes place. Thus, it is not such a weakness as some internet users like to portrait it.
The only reason Defender is disabled after infection is to ensure persistence in the long run. Antivirus programs would pick up the malware after some time. But it does not work as an entry to infect the system in the first place.

Defender Control is very helpful to disable Defender on my malware analysis machines. But even if I turn Defender off, some parts of Defender still activate from time to time which is pretty annoying.

In my case, I suspect a RAT ( Remote Access Trojan (RAT), a form of malware allowing a hacker to control your device remotely) was installed when I used the KMS activator.

The system never seems to be compromised, nothing strange happened, but I start to watch some cpu utilization that was not normal.
When I start to be suspicious and click in KIS icon to scan the system, KIS simply can't run, just crash, then I go to windows defender to try to run him and broke, yellow icons in control panel.

I just download Kaspersky free virus scan tool, and it immediately discovers a trojan and a miner in the system.

The work was made in two phases, first the AVs in the system was compromise, then the malware was install, because Kaspersky detected the Trojan easily.

It took about two days to discover the problem, because Kaspersky icon still appear in the system tray, but when you click on it, it just crashes.

If the miner was not planted, that cause some suspicious cpu activity, I will take more time to realize that KIS was not working.

 

[wat0114]

In my case, I suspect a RAT ( Remote Access Trojan (RAT), a form of malware allowing a hacker to control your device remotely) was installed when I used the KMS activator.

I had to do a little bit of research to learn about KMS activators, and from this link k m s p i c o [dot] com , the user is required to disable their antivirus before installing kms. Could the kms activator in your case have been malicious, and it was what infected your pc? Just trying to understand exactly what happened to you and the chain of events from beginning to end.

 

[Freud2004]

I had to do a little bit of research to learn about KMS activators, and from this link k m s p i c o . com , the user is required to disable their antivirus before installing kms. Could the kms activator in your case have been malicious, and it was what infected your pc? Just trying to understand exactly what happened to you and the chain of events from beginning to end.

I don't remember the chain of events exactly, but is certain that I dissemble the AV or ignore some warning to run the KMS, one off these two situations happened.
Yes I am suspicious off the KMS, I think that this tool does more than it was supposed to do.

 

[wat0114]

I don't remember the chain of events exactly, but is certain that I dissemble the AV or ignore some warning to run the KMS, one off these two situations happened.
Yes I am suspicious off the KMS, I think that this tool does more than it was supposed to do.

Okay thanks, that's kind of what makes sense to me. I'm often reading up on malware analysis reports in an effort to gain some understanding about how modern day threats work, even though I'll never get anywhere near expert level. Sorry about what happened to you.

 

[Templarware]

@Freud2004 Were you using password protection in KSC? It's supposed to prevent uninstallation.

 

[Freud2004]

@Freud2004 Were you using password protection in KSC? It's supposed to prevent uninstallation.

No, I was not.

 

[Local Host]

But in this hypotetical case, isn't Defender Control the malware that disables Windows Defender? And while the script isn't the actual malware, it's still a vital link in the chain of events in the exploit process. Stop the unauthorized script, and you stop the malware.

Windows Defender protection against scripts is poor by default, so is not stopping anything unless it's flagged as known malware.

I can easily bypass UAC and disable WD with a C# application, and it won't be detected.

From there I could download any known or unknown malware to do whatever.

I do not think that @struppigel missed anything and on the contrary, he understands well how such attacks were performed in the wild. This attack in the wild would not be a simple deactivation of the AV. Many AVs can recognize several other suspicious features (delivery method, using scripting, UAC bypass, code and executable for unpacking, code for payload execution, code for Defender Control execution, etc.) before the script might the chance to disable protection. From time to time it is probably possible to bypass the AV protection in this way (many AVs were disabled in the past). But this has more cons compared to pros. In the case of Defender, the Tamper protection makes it even less attractive.

Microsoft did not introduce Tamper Protection to prevent such attacks as a primary infection vector. The reason was preventing similar methods performed in the wild on already compromised systems for persistence and lateral movement. Simply, the disabled Defender protection is re-enabled by the system after some time.

Edit.
A similar misunderstanding is often related to DLL hijacking. This method is not used as a primary infection vector, too. It could be used, but this has currently more cons compared to pros. It is used in the wild on already compromised systems to make the attack more dangerous (UAC bypass, stealthy persistence, etc.).

Agree to disagree,

Tamper Protection protects against malicious actors modifying the configuration of Microsoft Defender on Windows 10 clients to disable AV protection, real-time protection, behavior monitoring, cloud-delivered protection, or to remove security intelligence updates.

Tamper Protection is useless cause you can still disable WD in the current session (it won't turn back on, already tested), only after a restart that WD is back on (and only if not corrupted by malware already), and by then is too late.

Microsoft had to go as far as removing regedit entries for WD, cause it was that easy to bypass Tamper Protection, and it still is unfortunately.